Lucene search
HistoryApr 25, 2024 - 4:15 p.m.
CVE-2023-6717
keycloak
saml
xss
cross-site scripting
security flaw
administrator
javascript
authorization
confidentiality
integrity
availability
nvd
6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
5.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.4%
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.
CNA Affected
[
{
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhbk/keycloak-operator-bundle",
"defaultStatus": "affected",
"versions": [
{
"version": "22.0.10-1",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:build_keycloak:22::el9"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhbk/keycloak-rhel9",
"defaultStatus": "affected",
"versions": [
{
"version": "22-13",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:build_keycloak:22::el9"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhbk/keycloak-rhel9-operator",
"defaultStatus": "affected",
"versions": [
{
"version": "22-16",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:build_keycloak:22::el9"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22.0.10",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "keycloak",
"cpes": [
"cpe:/a:redhat:build_keycloak:22"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss A-MQ 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unaffected",
"packageName": "keycloak",
"cpes": [
"cpe:/a:redhat:amq_broker:7.12"
]
},
{
"vendor": "Red Hat",
"product": "RHOSS-1.33-RHEL-8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/logic-data-index-ephemeral-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.33.0-5",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.33::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHOSS-1.33-RHEL-8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/logic-data-index-postgresql-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.33.0-5",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.33::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHOSS-1.33-RHEL-8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.33.0-5",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.33::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHOSS-1.33-RHEL-8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/logic-jobs-service-postgresql-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.33.0-5",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.33::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHOSS-1.33-RHEL-8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.33.0-5",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.33::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHOSS-1.33-RHEL-8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/logic-operator-bundle",
"defaultStatus": "affected",
"versions": [
{
"version": "1.33.0-5",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.33::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHOSS-1.33-RHEL-8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/logic-rhel8-operator",
"defaultStatus": "affected",
"versions": [
{
"version": "1.33.0-3",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.33::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHOSS-1.33-RHEL-8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/logic-swf-builder-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.33.0-5",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.33::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHOSS-1.33-RHEL-8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/logic-swf-devmode-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.33.0-5",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.33::el8"
]
},
{
"vendor": "Red Hat",
"product": "Migration Toolkit for Applications 6",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "mta/mta-ui-rhel8",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:6"
]
},
{
"vendor": "Red Hat",
"product": "Migration Toolkit for Applications 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "mta/mta-ui-rhel9",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Quarkus",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "org.keycloak/keycloak-core",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:quarkus:2"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Data Grid 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "keycloak",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Decision Manager 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "keycloak",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_brms_platform:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Developer Hub",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhdh-hub-container",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:rhdh:1"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Integration Service Registry",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "keycloak",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:service_registry:2"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Data Grid 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "org.keycloak-keycloak-parent",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "rh-sso7-keycloak",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Fuse 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat OpenShift GitOps",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "openshift-gitops-1/gitops-rhel8-operator",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Process Automation 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "keycloak",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "keycloak",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7"
]
}
]Related
vulnrichment
vulnrichment
nvd
nvd
CVE-2023-6717
2024-04-25 16:15:10
veracode
veracode
Cross-site Scripting (XSS)
2024-04-18 10:29:03
cgr
cgr
CVE-2023-6717 vulnerabilities
2024-05-19 03:07:16
osv
osv
redhatcve
redhatcve
CVE-2023-6717
2024-04-17 13:00:55
wolfi
wolfi
CVE-2023-6717 vulnerabilities
2024-06-25 15:33:25
cvelist
cvelist
github
github
redhat
redhat
6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
5.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.4%
Related for CVE-2023-6717